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DETAILED ACTION 



This non-final action is in response to the Request for Continued Examination filing of 
09/19/2008. Claims 1, 31-34, 36, and 37 are pending and have been considered as follows. 

Examiner Note 

In light of the applicants' amendments and remarks, the examiner hereby withdraws his 
previous Specification Objection with respect to Claim 35, withdraws his previous Claim 
Objection with respect to Claim 1, and withdraws his previous 35 U.S.C. 1 12 first paragraph 
rejection with respect to Claim 35. 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

2. Claim 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over Shinn (US- 
6655585-B2) in view of Collberg et al. (US-6668325-B1). 

The examiner notes that for the considerations below, it appears based on the examiner's 
broadest most reasonable interpretation, that the applicant's limitations, Claim 1 



limitations in particular, are directed towards biometric template comparison verification 
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and typical software code obfuscation and tamper prevention techniques utilizing runtime 
performance improvement techniques commonly referred to as "partial evaluation" or 
"program specialization"; it is also noted that there appear to be additional details in the 
applicant's Specification which describe the software code obfuscation/TSR in greater 
detail than is currently claimed; in addition, the examiner also notes additional details not 
claimed for the applicant's limitations reciting what appears to be varying degrees or 
levels of security desired based on different TSR encoding techniques; 
Claim 1 : 

Shinn discloses a method of biometric verification using an access software application for 
accessing another application, system or other software entity to protect biometric data against 
spoofing or theft comprising, 

- "establishing parameters of the access software application" (i.e. "When the person 
attempts to access the system, the application collects new data") [column 1 lines 37-38]; 
"generating a biometric template for a user by sampling" (i.e. "A person enrolls by 
donating some number of samples of the biometric. From these samples, the biometric 
system creates a model of the particular individual's patterns, which is referred to as a 
template") [column 1 lines 34-37]; 

"employing the biometric template which has been integrated into the access software 
application to evaluate biometric data provided by a user seeking to access the other 
application, system or software entity to provide an evaluation result which either permits 
or denies access by the user" (i.e. "In a verification application, the individual claims an 
identity, and the application retrieves the individual's model from a database and 
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compares the new signal to the retrieved model. The result of this comparison is a match 
score, which indicates how well the new signal matches the template. The application 
then compares the match score obtained with a pre-defined threshold and decides whether 
to allow or deny access to the individual or, for example, to ask the individual for more 
data.") [column 1 lines 39-48]; 
but, Shinn does not explicitly disclose, 

"integrating into the access software application by means of partial evaluation, the 
parameters and the biometric template," although Collberg et al. do suggest utilizing 
partial evaluation for software protection, as recited below; 
- "performing tamper-resistant software (TRS) encoding to the access software application 
including storing the biometric data in an encoded format that is irreversible," although 
Collberg et al. do suggest applying code obfuscation techniques to stored programs, as 
recited below; 

"the step of performing TRS encoding being performed according to one of the 
following: prior to the establishing of parameters, whereby one TRS implementation 
covers multiple platforms and multiple biometric templates," although Collberg et al. do 
suggest applying code obfuscation techniques including varying degrees of security 
dependent on the algorithms and transformations used for the desired level of potency, 
execution time/space, and cost, as recited below; 



Application/Control Number: 1 0/743 ,784 Page 5 

Art Unit: 2436 

"after the establishing of parameters and before generating the biometric template, 
whereby one TRS implementation covers one platform only and multiple biometric 
templates," although Collberg et al. do suggest applying code obfuscation techniques 
including varying degrees of security dependent on the algorithms and transformations 
used for the desired level of potency, execution time/space, and cost, as recited below; 

- "after the establishing of parameters and after generating the biometric template, whereby 
one TRS implementation covers one platform only and one biometric template only," 
although Collberg et al. do suggest applying code obfuscation techniques including 
varying degrees of security dependent on the algorithms and transformations used for the 
desired level of potency, execution time/space, and cost, as recited below; 

however, Collberg et al. do disclose, 

- "Deobfuscation also resembles partial evaluation. A partial evaluator splits a program 
into two parts: the static part which can be precomputed by the partial evaluator, and the 
dynamic part which is executed at runtime. The dynamic part would correspond to our 
original, unobfuscated, program. The static part would correspond to our bogus inner 
program, which, if it were identified, could be evaluated and removed at deobfuscation 
time" [column 31 lines 46-53]; 

"an unobfuscated program P (e.g., an application), stored in memory 140, can be 
obfuscated by an obfuscator executing on CPU 130 to provide an obfuscated program P', 
stored in memory 140, in accordance with one embodiment of the present invention" 
[column 5 lines 19-24]; 
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"FIG. 6 shows an architecture of Kava, the Java obfuscator. The main input to the tool is 
a set of Java class files and the obfuscation level required by the user. The user may 
optionally provide files of profiling data, as generated by Java profiling tools. This 
information can be used to guide the obfuscator to make sure that frequently executed 
parts of the application are not obfuscated by very expensive transformations. Input to the 
tool is a Java application, given as a set of Java class files. The user also selects the 
required level of obfuscation (e.g., potency) and the maximum execution time/space 
penalty that the obfuscator is allowed to add to the application (the cost)" [column 10 
lines 57-67 & column 1 1 line 1]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "integrating into the access software application by means of 
partial evaluation, the parameters and the biometric template" and "performing tamper-resistant 
software (TRS) encoding to the access software application including storing the biometric data 
in an encoded format that is irreversible" and "the step of performing TRS encoding being 
performed according to one of the following: prior to the establishing of parameters, whereby 
one TRS implementation covers multiple platforms and multiple biometric templates" and "after 
the establishing of parameters and before generating the biometric template, whereby one TRS 
implementation covers one platform only and multiple biometric templates" and "after the 
establishing of parameters and after generating the biometric template, whereby one TRS 
implementation covers one platform only and one biometric template only," in the invention as 
disclosed by Shinn for the purposes of providing various degrees of security through software 
code obfuscation. 
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3. Claims 31, 33-34, & 36 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shinn (US-6655585-B2) in view of Collberg et al. (US-6668325-B1) and in further view of 
Kaliski, Jr. (US-6085320-A). 
Claim 31: 

Shinn and Collberg et al. disclose a method of biometric verification using an access software 
application for accessing another application, system or other software entity to protect biometric 
data against spoofing or theft, as in Claim 1 above, but their combination do not explicitly 
disclose, 

"whereby the evaluation result comprises a cryptographic key generated to be either 
correct to permit access by the user or incorrect to deny access by the user," although 
Kaliski. Jr. does suggest utilizing a well known protocol for proving authenticity 
involving keys, as recited below; 

"the cryptographic key being generated to be correct only when the user-provided 
biometric data is found to match the biometric template," although Kaliski, Jr. does 
suggest public key/private key, as recited below; 
however, Kaliski, Jr. does disclose, 

"A standard well known protocol for proving authenticity involves public-key 
cryptography. The client establishes a public key/private key pair and provides the public 
key to the server. In a transaction, to prove its authenticity to the server, the client forms a 
digital signature with its private key on a time-varying message, and the server verifies 
the digital signature with the client's public key. The time-varying message, which may 
be a timestamp or a challenge supplied by the server, is different in each instance. This 
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message, when checked by the server, provides safeguards against a third party 
impersonating the client by simply replaying copies of previous signatures of the client 
that the third party has intercepted or otherwise acquired" [column 1 lines 24-36]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the evaluation result comprises a cryptographic key 
generated to be either correct to permit access by the user or incorrect to deny access by the user" 
and "the cryptographic key being generated to be correct only when the user-provided biometric 
data is found to match the biometric template," in the invention as disclosed by Shinn and 
Collberg et al. for the purposes of providing additional security through key encryption. 
Claim 33: 

Shinn. Collberg et al.. and Kaliski, Jr. disclose a method of biometric verification using an access 
software application for accessing another application, system or other software entity to protect 
biometric data against spoofing or theft, as in Claim 3 1 above, but the combination of Shinn and 
Collberg et al. do not explicitly disclose, 

- "whereby the evaluation result comprises a key for a symmetric cipher having high 
entropy for its key length, if the user-provided biometric data is found to match the 
biometric template," although Kaliski, Jr. does suggest public key/private key encryption, 
as recited below; 
however, Kaliski, Jr. does disclose, 

"A standard well known protocol for proving authenticity involves public-key 
cryptography. The client establishes a public key/private key pair and provides the public 
key to the server. In a transaction, to prove its authenticity to the server, the client forms a 
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digital signature with its private key on a time-varying message, and the server verifies 
the digital signature with the client's public key. The time-varying message, which may 
be a timestamp or a challenge supplied by the server, is different in each instance. This 
message, when checked by the server, provides safeguards against a third party 
impersonating the client by simply replaying copies of previous signatures of the client 
that the third party has intercepted or otherwise acquired" [column 1 lines 24-36]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the evaluation result comprises a key for a symmetric 
cipher having high entropy for its key length, if the user-provided biometric data is found to 
match the biometric template," in the invention as disclosed by Shinn and Collberg et al. for the 
purposes of providing additional security through public key/private key encryption. 
Claim 34: 

Shinn, Collberg et al, and Kaliski, Jr. disclose a method of biometric verification using an access 
software application for accessing another application, system or other software entity to protect 
biometric data against spoofing or theft, as in Claim 3 1 above, but the combination of Shinn and 
Collberg et al. do not explicitly disclose, 

"whereby the evaluation result comprises private key of a public/private key pair, if the 
user-provided biometric data is found to match the biometric template," although Kaliski, 
Jr. does suggest public key/private key encryption, as recited below; 
however, Kaliski, Jr. does disclose, 

- "A standard well known protocol for proving authenticity involves public-key 

cryptography. The client establishes a public key/private key pair and provides the public 



Application/Control Number: 1 0/743 ,784 Page 1 0 

Art Unit: 2436 

key to the server. In a transaction, to prove its authenticity to the server, the client forms a 
digital signature with its private key on a time-varying message, and the server verifies 
the digital signature with the client's public key. The time-varying message, which may 
be a timestamp or a challenge supplied by the server, is different in each instance. This 
message, when checked by the server, provides safeguards against a third party 
impersonating the client by simply replaying copies of previous signatures of the client 
that the third party has intercepted or otherwise acquired" [column 1 lines 24-36]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the evaluation result comprises private key of a 
public/private key pair, if the user-provided biometric data is found to match the biometric 
template," in the invention as disclosed by Shinn and Collbcrg ct al. for the purposes of 
providing additional security through public key/private key encryption. 
Claim 36: 

Shinn, Collberg et al, and Kaliski, Jr. disclose a method of biometric verification using an access 
software application for accessing another application, system or other software entity to protect 
biometric data against spoofing or theft, as in Claim 3 1 above, but the combination of Shinn and 
Collberg et al. do not explicitly disclose, 

"whereby the incorrect cryptographic key is identical in bit-length to the correct 
cryptographic key," although Kaliski, Jr. does suggest utilizing public key/private key 
encryption with a time varying message and digital signature, as recited below; 
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however, Kaliski, Jr. does disclose, 

- "A standard well known protocol for proving authenticity involves public-key 

cryptography. The client establishes a public key/private key pair and provides the public 
key to the server. In a transaction, to prove its authenticity to the server, the client forms a 
digital signature with its private key on a time-varying message, and the server verifies 
the digital signature with the client's public key. The time-varying message, which may 
be a timestamp or a challenge supplied by the server, is different in each instance. This 
message, when checked by the server, provides safeguards against a third party 
impersonating the client by simply replaying copies of previous signatures of the client 
that the third party has intercepted or otherwise acquired" [column 1 lines 24-36]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the incorrect cryptographic key is identical in bit- 
length to the correct cryptographic key," in the invention as disclosed by Shinn and Collberg et 
al. for the purposes of providing safe guard against replay attacks. 

4. Claims 32 & 37 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shinn 
(US-6655585-B2) in view of Collberg et al. (US-6668325-B1) and in further view of ChowetaL 
(US-6779114-B1). 
Claim 32: 

Shinn and Collberg et al. disclose a method of biometric verification using an access software 
application for accessing another application, system or other software entity to protect biometric 
data against spoofing or theft, as in Claim 1 above, but their combination do not explicitly 
disclose, 
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"whereby the evaluation result comprises branching to a distinct location of the access 
software application if the user-provided biometric data is found to match the biometric 
template," although Chow et al. does suggest control flow encoding, as recited below; 
however, Chow et al. does disclose, 

"Control-flow describes the manner in which execution progresses through the software 
code. The invention increases the complexity of the control flow by orders of magnitude, 
obscuring the flow of its algorithm and preventing the attacker from identifying and 
tampering with targeted areas" [column 6 lines 8-13]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the evaluation result comprises branching to a distinct 
location of the access software application if the user-provided biometric data is found to match 
the biometric template," in the invention as disclosed by Shinn and Collberg et al. for the 
purposes of providing tamper resistance by control flow encoding. 
Claim 37: 

Shinn and Collberg et al. disclose a method of biometric verification using an access software 
application for accessing another application, system or other software entity to protect biometric 
data against spoofing or theft, as in Claim 1 above, but their combination do not explicitly 
disclose, 

"whereby the TRS encoding comprises mass data encoding for data in array, table or 
message buffer form," although Chow et al. does suggest mass data encoding, as recited 
below; 
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however, Chow et al. does disclose, 

- "If a large number of control transfers are added to the software code, it will be extremely 

difficult for the attacker to identify the specific line of control that he wishes to modify" 

[column 12 lines 23-26]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "whereby the TRS encoding comprises mass data encoding for 
data in array, table or message buffer form," in the invention as disclosed by Shinn and Collberg 
et al. for the purposes of providing tamper resistance by mass data encoding. 

Response to Arguments 

5. Applicant's arguments filed 09/19/2008 have been fully considered but they are not 
persuasive. 

The applicants' arguments with respect to Shinn and Collberg et al. not disclosing or 
suggesting, "storing the biometric data in an encoded format that is irreversible," have 
been carefully considered but are non-persuasive; 

o The examiner notes that Collberg et al. at the very least suggests storage in 
combination with obfuscation; 
The applicants' arguments with respect to Shinn and Collberg et al. not disclosing or 
suggesting, "integrating into the access software application by means of partial 
evaluation, the parameters and the biometric template," have been carefully considered, 
but are non-persuasive; 
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o The examiner notes that the purposes of "partial evaluation" still remain the same 
regardless the data/information that is fed into or forwarded as an argument to be 
part of the runtime performance streamlining; that is, the purpose of improving 
runtime performance of the compiled program remains the same and is at the very 
least obvious to one of ordinary skill in the art particularly since code/software 
obfuscation techniques can become very computation intensive where techniques 
which can improve program performance are clearly desirable; 

Conclusion 

6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at 571-272-4195. The fax phone number for 
Formal or Official faxes to Technology Center 2100 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
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PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/OAL/ 
12/12/2008 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



